Hi: I have been running a mail system with Exim for several years, using Sophos anti-virus. I want to replace Sophos with ClamAV but have run into a problem.
With the default ClamAV configuration, it reports an email that is both a phishing attempt and also contains a virus, as just a Phishing attempt. With the particular message I encountered, with phishing detection turned on in the config I get: HTML.Phishing.Pay-19 FOUND and with it turned off, I get: VBS.Dropper.Small FOUND I had planned to just tag phishing attempts and deliver them to the user anyway, in case of false positives, unlike actual viruses that I would delete. And I would tell the difference by checking the 'virus' name for the text 'Phishing'. But it seems this strategy could result in passing viruses to my users which I would like to avoid. Is there some way to make ClamAV report the more serious condition when there is more than one problem with a message? I assume that a virus is generally considered more serious than a phishing attempt. Or do I need to run two copies of clamd, one with phishing detection configured on and one with it off, and scan everything twice, in order to detect this type of message? And is it even possible to run two copies of clamd simultaneously? I have checked the archives, and I understand there has been some discussion of phishing as spam vs. virus, but I didn't see anything about this issue. I hope somebody can shed some light for me. Thanks in advance for any help. Russ -- Russell D. Wilton E Mail: WILTON(at)ULeth.CA Info Tech Systems Analyst Voice: (403) 329-2525 University of Lethbridge FAX: (403) 382-7108 4401 University Drive Lethbridge, Alberta, CANADA T1K 3M4 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
